Threat Name: The macro virus has been seen downloading multiple malware types and names.
Indicators: The email subject may contain the word 'Invoice' along with the invoice number. The file attachment will be a Word document, but will contain the extension of .docm which indicates a macro enabled document. The document may also contain the word 'Invoice' in its name.
Post Infection: The user will only get infected if they allow the macro to run. Microsoft Word will warn the user that enabling macros could damage your computer, which is very true in this case.
Domains Contacted: The following domains were contacted after the macro was allowed to run.
- drevenak.cz - 126.96.36.199
- vivercomrequinte.com.br - 188.8.131.52
- www.otmoorelectrical.co.uk - 184.108.40.206
Files Downloaded: The following files were observed being downloaded after the macro was enabled.
- bin.exe - https://www.virustotal.com/en/file/63224095c15ff1206e65d0b8e69a0f7ffc75025d6e5427b206503a5f3e9cf24b/analysis/
- vv.exe - https://www.virustotal.com/en/file/b261f19aab21889d256266bdeb8c1e3e408d495ef4a5648c4f237696f120706b/analysis/1423149772/
- URI: GET /js/bin.exe
- URI: GET /wp-content/uploads/vv.exe
- URI: POST /gate.php
Prevention: Block all .docm file on your email server, if possible. Trying to blacklist the domains may be a futile effort as they can easily change, same with trying to block the executable files.
- URLquery of vv.exe: https://urlquery.net/report.php?id=1423150125633
- Malware Traffic Analysis: http://malware-traffic-analysis.net/2015/02/03/index.html
- Malwr: https://malwr.com/analysis/ZTM4ODJkYjM5MmQ0NGJkMDhkMzFjZjMwYWYyN2M3ZDM/